teslamateapi icon indicating copy to clipboard operation
teslamateapi copied to clipboard
verified publisher icon tobiasehlert

Secure all endpoints

Open jaredcat opened this issue 11 months ago • 5 comments

I expected the API_TOKEN to secure all endpoints. I wanted to be able to make requests to this API from an external network, so I don't want all this data easily accessible.

jaredcat avatar Jan 25 '25 22:01 jaredcat

@jaredcat, I've thought about adding that to all endpoints at some point, but didn't add that since probably most installations probably use some other authentication layer in front for protection as it's mentioned in the security information section of the repo readme (https://github.com/tobiasehlert/teslamateapi#security-information). In most deployments you always have some kind of layer in front, so therefore the placement of such thing is more suitable there if you ask me.

Have you found a workaround to restrict the API access for you?

tobiasehlert avatar Feb 18 '25 13:02 tobiasehlert

That's just not very normal to see for an api. It's kind of odd to me to protect some routes and then say auth is better handled somewhere else lol.

My idea for what I'm trying to do changed a bit where I'll probably be just accessing this api locally and exposing my own endpoint.

jaredcat avatar Feb 18 '25 13:02 jaredcat

Hi, I just created a PR to fix this: https://github.com/tobiasehlert/teslamateapi/pull/352

jlestel avatar Sep 03 '25 15:09 jlestel

It's better to be secure to avoid negative publicity effects due to open configurations on the internet.

And since not everyone will know how to place a proxy/middleware in front of the API, it's better to use the token already used for commands.

jlestel avatar Sep 03 '25 15:09 jlestel